CRUCIAL has designed Clinical Studio with careful reference to the FDA’s Part 11 compliance requirements as of October 2011 and Guidance on the Use of Computerized Systems for Clinical Research. Regulations and guidance documents used include –
- 21CFR11 01 April 2011 revision
- Draft Guidance For Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Validation – Scope and Application 2003
- Final Guidance for Industry Computerized Systems used in Clinical Investigations May 2007
- Draft Guidance for Industry Oversight of Clinical Investigations — A Risk-Based Approach to Monitoring Guidance for Industry Oversight of Clinical Investigators August 2011
The aim of 21CFR11 is to establish the criteria under which the FDA will consider electronic records and signatures to be trustworthy and reliable and generally equivalent to traditional paper records and signatures (11.1(a)). It should be noted that 21CFR11 covers both technology and processes, and that those processes remain largely under the care, control and responsibility of the Sponsor or CRO rather than the software/system vendor. Examples of processes that fall into this category include, but are not limited to, the need to establish the identity of users and have the sponsor certify to the Agency in writing that the electronic signatures used in the system are intended to be the legally binding equivalent of handwritten signatures (Subpart C 11.100 (b), (c)), as well determining that people using electronic signature systems have the appropriate education, training and experience to adequately use the system and to the development and adherence to written policies holding individuals responsible for data/actions entered/conducted under their electronic signatures (11.10 (i), (j)).
The FDA’s guidance is intended to provide in a descriptive fashion the manner in which systems should function in order to obtain and retain quality data. In similar fashion to 21CFR11, the Guidance combines both system characteristics and those that remain the responsibility of Sponsors and CROs. Clinical Studio aligns with the Guidance, and supports Guidance recommended practices as needed.
The Clinical Studio system complies with those aspects of FDA Guidance with respect to data under the overarching ALCOA principle of Attribution, via linking to a specific user and patient/case; Legibility via standard characters, fonts and display of data; Dates and times of entry are obtained and permanently associated with entries; Originality wherein data cannot ever be obliterated, lost, or otherwise obscured in all cases, and with special importance where those data form the source document; and Accuracy via extensive and robust IQ/OQ/PQ testing, provision of edit checks, conditional actions and other mechanisms designed to prevent acquisition of erroneous data, and the support of both remote and on-site monitoring.
The following describes how Clinical Studio addresses specific components of 21CFR11 in more detail, and Guidance on Computerized Systems Used in Clinical Investigations elements are also addressed.
21CFR11 (a) Controls for Closed Systems: Validation
Clinical Studio has been purposefully built with an automated validation and documentation tool that comprehensively tests IQ/OQ/PQ parameters for every field within any given study/project and generates detailed human-readable documentation for review and storage. Proactive detection of invalid records is achieved through User defined edit checks and similarly (see CSICI IV F.1 Other system Features: Direct Entry of Data below) visibility of altered records is clear through the automated audit trail function (see 21CFR11.10 Controls for Closed systems (e); CSICI IV D.2 Audit Trails below).
21CFR11.10 (b) Controls for Closed Systems: Human Readable Records
All data within Clinical Studio is available in human readable form either via standard dataset format(s) export and/or viewing within the system, and/or printing in CRF format on a form by form or subject/patient case basis.
21CFR11.10 (c) Controls for Closed Systems: Protection & Retention
All data captured within the Clinical Studio system is subject to stringent protections and is maintained in such a manner as to be available at all times during the course of any given project. Following the closure of a particular project, complete dataset transfers are made to the Sponsor or CRO for retention. Please see also CSICI IV F.4 System Controls below.
21 CFR 11.10(d) CSICI IV D.1 Limited access; 21CFR11.300 (a), (b), (c) Controls for identification codes/passwords
Clinical Studio provides a unique individual account for each User. That account is stored as a separate entity in the database. Prior to a User gaining access to the system, the User must provide the unique User ID and Password previously assigned and chosen respectively. That User ID and Password initiates an Internet Information Services (IIS) session. IIS is a web server application and set of feature extension modules created by Microsoft – IIS 7 and supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It is an integral part of the Windows Server family of products and allows for sophisticated security and system behavior controls.
The User session is managed by the system via IIS and an Administrator User can adjust system session behavior. Clinical Studio provides Administrator Users the ability to setup regular and ad hoc required password changes, time between forced password changes, the level of password reuse, as well as inactivity timeout length prior to system “screen-saver” User Name and Password controlled re-access, and total time out to complete session termination and system lock. Lost passwords can only be reinstated via an industry standard method of token generation sent to the registered User email account in question. These tokens are single use, time-sensitive, and requesting generation of a token automatically disables the original password.
21CFR11.10 (e) Controls for Closed Systems; CSICI IV D.2 Audit Trails
All changes to forms are captured by the system and displayed as separate transactions at the bottom of each form. Regardless of any future actions, no data is ever obliterated and all records can be completely reconstructed longitudinally. In addition, the system monitors and records each User and their navigation path through the system. Monitoring reviews can require Users to provide reasons why data does not match source documentation or why given changes have been made. A variety of reports allow Administrators to review these transactions in accordance with the FDA’s draft guidance on risk-based approaches to monitoring in detecting site or individual abnormalities that may indicate data quality issues.
21CFR11 (f) Controls for Closed Systems: Enforcement of sequencing of events
Clinical Studio has built-in and user definable logic pathways that require persons entering data to follow the correct sequence of conducting the study. The system is more powerful than a paper-based system in this regard in that it is impossible for Users to enter data before it should have been collected; it can require the entry of lab result(s) or test data prior to allowing an action such as treatment that maybe predicated upon those events and/or data capture/review. See also CSICI IV F.1 Other system Features: Direct Entry of Data below.
21CFR11 (g) Controls for Closed Systems: Authorized Individuals Access
While the sponsor is responsible for verifying the identity of an individual and authorizing their use of the system, security surrounding access is facilitated via the Role-Based Security (RBS) feature within Clinical Studio. In RBS, Users are assigned particular roles and privileges that accompany that role such as sign-off, view only, alter data, enter data etc. Privilege levels may be altered by Authorized Users, typically at the Sponsor/CRO level within Clinical Studio.
21CFR11.10 (h) Validity of Source Data Input; 21CFR11.300 (d) Controls for Identification Codes/Passwords
Through the transaction auditing feature, each page that a given User visits is recorded. That information contains the Application, Page, Site, User, Date and Time, Session Parameters (what they are doing in the page), and the IP address of their Internet connection. Use of this audit feature allows Administrators to do routine audit checks against known site IP addresses or a list of known risky IP addresses. Each visit to a page records everything that User has to load that page. Subsequently that page can be reconstructed. Any changes made to a form on that page are also recorded. Additionally, the system immediately reports to the System Administrator any attempts to use User IDs and passwords in an unauthorized manner.
21CFR11 (k) (1) (2) Controls for Closed Systems: Controls Over System Documentation
During any period in which CRUCIAL hosts the Clinical Studio system, CRUCIAL will hold as confidential internal company documents all documentation surrounding the fundamental operation of the Clinical Studio system pertaining to operation and maintenance per CRUCIAL SOP 1001–01 CLSDS Quality Management System Plan. Revision and change control procedures are in place that document in audit trail format with time sequencing and System Admin User implementing/responsible, all development on new/revised aspects of the operation of the system and the supporting documentation thereto, as per CRUCIAL SOP 1001–03 QMS Document Management Plan.
In the event a Sponsor/CRO wishes to host the Clinical Studio system, controls over the System documentation, once provided by CRUCIAL in the first instance and as needed per CSICI IV F.5 Change Controls below, become the responsibility of the customer.
21CFR11.70 Signature/Record Linking
Clinical Studio records all instances of signature application and permanently links those signatures to the respective electronic method in a manner whereby the signature cannot be dissociated with the record. It is important to note that with the appropriate authority, records can be unlocked and data modified (for example, where study close-out monitoring uncovers data issues that require resolution), and that unlocking and eventual re-signature will not obscure the original signature details.
21CFR11.100 (a) General Requirements
Clinical Studio enforces the use of unique User ID and password combinations and disallows reassignment to any other User.
21CFR11.200 (a) (1) Electronic Signature Components and Controls; 11.50 Signature Manifestations
All e-signatures require that the signing User provide their User ID and Password. Prior to this, a statement is displayed explaining exactly to what the e-signature application attests (authorships, verification, approval, responsibility etc.). In addition, all sign-offs include the printed name of the signatory with date/time stamping. All signatures are available for review in human readable format.
21CFR11.200 (a) (1)(i) Electronic Signature Components and Controls
All batch sign-offs require the User with sign-off privileges (typically the Investigator) to view a statement about electronic signatures and a statement detailing what they are applying the e-signature to. To perform the application of e-signature, the system then requires the Investigator to provide both a User ID and Password prior to signing any batch of forms.
CSICI IV D.3. Date and Time Stamps
All activities within the Clinical Studio system are date and time stamped. Local time is displayed to the User and is converted and stored in UTC GMT (Greenwich Mean Time) to provide a standardized reference point to which activities can be related.
CSICI IV E. External Security Safeguards
In addition to 21CFR11 requirements, Clinical Studio complies with this Guidance section in that external software applications cannot alter, browse, query or report on data other than via the Clinical Studio system with the appropriate authorization. Datasets generated by the system at the request of an authorized User which are then exported and used by another software program or system become the responsibility of the requesting User. A comprehensive listing of Users, their roles/titles, access privileges and other pertinent information for any given project is generated by the system and remains permanently available.
Also, additions of or modifications to applications and/or programs are restricted to System Admin authorized users only, which in combination with the Sophos Endpoint Security and Control anti-virus anti-malware safeguards effectively protect the servers and Clinical Studio program from intentional or unintentional damage or corruption.
CSICI IV F.1 Other System Features: Direct Entry of Data
Comprehensive, powerful, and automatically tested and reported edit checks, range checks, conditional actions, and sequencing of events/data collection are available within the system to be employed as seen fit by the Sponsor/CRO User to enhance data quality and/or prevent submission of erroneous data. See also 21CFR11 (f) Controls for Closed Systems: Enforcement of Sequencing of Events above.
CSICI IV F.2 Retrieving Data
Clinical Studio is designed in a fashion that attributes data within a study to an individual subject/patient within the study. Elements within this section detailing to the Agency how source data were obtained, managed, and the use of the system to capture data, is the responsibility of the Sponsor or CRO using the system.
CSICI IV F.4 System Controls
Periodic backup of all data is conducted hourly and automatically copied to an offsite location separate from the primary server on which the system is running. In order to check the validity of the backups, an additional server is in place and runs an automated restore test on a daily basis. To facilitate disaster recovery and minimize any possible data loss, Recovery logs/WAL logs/Archive logs are copied to the offsite location and a separate Disaster Recovery server as soon as they are written to disk on a transaction by transaction basis. Status of backups and restores including successes, failures, and other errors are logged and System Admin staff are automatically notified.
In the event the Sponsor/CRO has elected to host the Clinical Studio system, set-up and control of these functions become their responsibility.
CSICI IV F.5 Change Controls
Each Clinical Studio customer has a separate code and database. Scheduled changes to the software are released on a quarterly basis. Each component of the change is thoroughly documented per CRUCIAL SOP 1001–08 Use Redmine Tracking System to Manage Product Change Control and SOP 1001–15 CLSDS Code Release Process. Any given customer must sign off on whether they want the change applied to their code base. Certain changes are dependent on prior changes; therefore, each client is made aware of the dependency risk of not accepting a given change.
Bugs are fixed and can be moved forward immediately if required. Each client is informed of the bug fix and must formally indicate that they want the change applied to their Clinical Studio instance.
All hardware changes and upgrades that require the system to be taken offline are scheduled to take place when system loads are lightest (typically after midnight and before 6:00am CST or from 12:01am Saturdays to 6:00am Mondays, but can be adjusted to suit the particular customer’s needs). When this happens, the studies/projects that are running on that given piece of hardware are made inactive until the hardware upgrades are complete and tested. Once thoroughly tested per CRUCIAL SOP 1001–17 CLSDS Software Verification and Validation Plan, the studies/projects are then reactivated. All customers are made aware of these scheduled changes at least two weeks in advance through the site notification system.
Unpredictable hardware failures are caught 99.998% of the time through one of five redundant layers in the hardware stack. Remediation is made in these instances without interruption to system availability and is transparent to the end User.